Cross-site request forgery (CSRF) vulnerability in the widget-editingaccessibility-mode feature in WordPress before 4.7.1 allows remoteattackers to hijack the authentication of unspecified victims forrequests that perform a widgets-access action, related towp-admin/includes/class-wp-screen.php and wp-admin/widgets.php.

CVE-2017-5493

wp-includes/ms-functions.php in the Multisite WordPress API in WordPressbefore 4.7.1 does not properly choose random numbers for keys, whichmakes it easier for remote attackers to bypass intended accessrestrictions via a crafted site signup or user signup.

SQL injection vulnerability in wp-includes/class-wp-query.php inWP_Query in WordPress before 4.7.2 allows remote attackers to executearbitrary SQL commands by leveraging the presence of an affectedplugin or theme that mishandles a crafted post type name.

Multiple vulnerabilities have been discovered in libgd2, a library forprogrammatic graphics creation and manipulation, which may result indenial of service or potentially the execution of arbitrary code if amalformed file is processed.

For the stable distribution (jessie), these problems have been fixed inversion 2.1.0-5+deb8u9.

For the testing distribution (stretch) and the unstable distribution(sid), these problems have been fixed in version 2.2.4-1.

We recommend that you upgrade your libgd2 packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/

Michal Marek discovered that ruby-archive-tar-minitar, a Ruby librarythat provides the ability to deal with POSIX tar archive files, is proneto a directory traversal vulnerability. An attacker can take advantageof this flaw to overwrite arbitrary files during archive extraction viaa .. (dot dot) in an extracted filename.

For the stable distribution (jessie), this problem has been fixed inversion 0.5.2-2+deb8u1.

We recommend that you upgrade your ruby-archive-tar-minitar packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/